malware-analysis-writeups/HawkEye/HawkEye.md at main ·
itaymigdal/malware-analysis-writeups
By itaymigdal
Archived: 2026-04-05 20:44:31 UTC
Malware
Name
File Type SHA256
HawkEye
x32 exe
(.NET)
b9561f35b2fa188ed20de24bb67956e15858aeb67441fb31cbcfe84e1d4edc9a
Analysis process
The file is a Dotnet PE:
On execution the file spawns a child process of the legitimate Dotnet AppLaunch.exe:
https://github.com/itaymigdal/malware-analysis-writeups/blob/main/HawkEye/HawkEye.md
Page 1 of 13

There is only one reason to do that - Process Hollowing (A.K.A RunPE). As i learned from the great OALabs
channel, whenever you want to break with a dubugger on an injection to a remote process,
CreateProcessInternalW and WriteProcessMemory are the first calls that you want to put a break on. doing as i
learned gave me a quick treat:
The malware is calling to CreateProcessInternalW , pass AppLaunch.exe as a parameter, and "4" as seventh
argument which will make the process in suspended mode (Process Hollowing creates a process in suspended
mode so it can hollows out the process, inject, and then execute).
We could manually find the unpacked PE in memory and dump it, and we also can be lazy and let great
Hollows_Hunter.exe do it for us:
https://github.com/itaymigdal/malware-analysis-writeups/blob/main/HawkEye/HawkEye.md
Page 2 of 13

😊
Dropping the unpacked (Dotnet as well) to Dnspy hollows out our eyes 😨:
Not sure if the file dumped successfully or this one is perfectly obfuscated. Trying to deobfuscate with De4dot:
https://github.com/itaymigdal/malware-analysis-writeups/blob/main/HawkEye/HawkEye.md
Page 3 of 13

is throwing an error.. a closer look at the file in Dnspy reveals the obfuscator which apparently is not supported /
known by De4dot:
Some googling on deobfuscating ConfuserEx gives us this project which adds to De4dot exactly this capability:
Now the file is dumped and cleand (pretty much) 😎.
Analyzing the code (which is still a bit obfuscated) reveals that this is a kelogger / stealer (with some RAT
capabilities) named HawkEye Reborn version 8:
https://github.com/itaymigdal/malware-analysis-writeups/blob/main/HawkEye/HawkEye.md
Page 4 of 13

Description from Malpedia:
HawKeye is a keylogger that is distributed since 2013. Discovered by IBM X-Force, it is currently
spread over phishing campaigns targeting businesses on a worldwide scale. It is designed to steal
credentials from numerous applications but, in the last observed versions, new "loader capabilities"
have been spotted. It is sold by its development team on dark web markets and hacking forums.
From here on i used only static analysis on the unpacked sample
Anti-Analysis capabilities
Checks if it runs under process monitor software:
Checks if it runs under Sandboxie (SbieDll.dll) or Wireshark:
Disables Task Manager, Cmd, and Regedit:
https://github.com/itaymigdal/malware-analysis-writeups/blob/main/HawkEye/HawkEye.md
Page 5 of 13

Sets hidden + system attributes for itself:
The malware has the functionality to block websites by overriding the Hosts file and redirect them to the localhost
address:
https://github.com/itaymigdal/malware-analysis-writeups/blob/main/HawkEye/HawkEye.md
Page 6 of 13

Stealing capabilities
The malware has Keylogging capabilities (Also called HawkEye Keylogger):
Takes screenshots of the infected computer:
https://github.com/itaymigdal/malware-analysis-writeups/blob/main/HawkEye/HawkEye.md
Page 7 of 13

Steals Chrome browser data:
Steals Firefox browser data:
https://github.com/itaymigdal/malware-analysis-writeups/blob/main/HawkEye/HawkEye.md
Page 8 of 13

Steals CoreFTP software data:
Steals Minecraft data:
https://github.com/itaymigdal/malware-analysis-writeups/blob/main/HawkEye/HawkEye.md
Page 9 of 13

Collects a plenty of more information: internal & external address, geolocation, installed software, clipboard
content, screenshots, passwords and more:
https://github.com/itaymigdal/malware-analysis-writeups/blob/main/HawkEye/HawkEye.md
Page 10 of 13

And post all the data to the C2:
C2: pomf.cat
Persistence:
The malware persist itself via a run key:
More capabilities:
https://github.com/itaymigdal/malware-analysis-writeups/blob/main/HawkEye/HawkEye.md
Page 11 of 13

The malware uses P/Invoke calls to native libraries to extend the capabilities and harden the analysis:
Seems like the next commands are used to be written into a .bat file that responsible for the persistence via the run
key, it's executes the malware, and then possibly deletes itself (and written back next execution, depending if is
written to "run" or "runonce"):
Also, the malware seems to inject itself into a remote process due to these API calls:
That's it for today, hope you enjoyed ☺️
https://github.com/itaymigdal/malware-analysis-writeups/blob/main/HawkEye/HawkEye.md
Page 12 of 13

Source: https://github.com/itaymigdal/malware-analysis-writeups/blob/main/HawkEye/HawkEye.md
https://github.com/itaymigdal/malware-analysis-writeups/blob/main/HawkEye/HawkEye.md
Page 13 of 13